|
|
Posted by Ivαn Sαnchez Ortega on 03/11/07 22:23
dino d. wrote:
> ok, sorry for the top posting, by "top posting" you mean writing your
> reply at the top, right? back to the question - i don't want to give
> the user an opportunity to monkey around with the html somehow, and
> send back a bogus response via a POST variable.
Then don't allow your users to get anywhere near a web browser.
> I want to ensure 2 things- first, that the person is authorized to edit
> this row,
Use a decent auth, and implement some kind of ACLs.
> and second, that this is the row that he or she is authorized to
> edit.
Easy - echo the row primary key. No need to obfuscate it. In your "security"
paranoia, you are forgetting about more important things - like data
integrity and concurrency.
> It sounds like sessions are the way to go with some kind of
> encyrption. Is that the generally accepted way of doing this?
The accepted way to do this is to learn about the possible meanings
of "security" in computer science (integrity, confidentiality, reliability,
non-repudiation, etc etc). Then, think about what you *really* need in your
app.
--
----------------------------------
IvΓ‘n SΓ‘nchez Ortega -ivansanchez-algarroba-escomposlinux-punto-org-
http://acm.asoc.fi.upm.es/~mr/
Proudly running Debian Linux with 2.6.18-4-amd64 kernel, KDE3.5.3, and PHP
5.2.0-10 generating this signature.
Uptime: 23:13:59 up 1 day, 9:35, 3 users, load average: 0.92, 0.87, 0.66
[Back to original message]
|